August 2024 Patch Tuesday has arrived, bringing with it a comprehensive update from Microsoft addressing a total of 90 vulnerabilities. Among these, six have been identified as zero-days actively exploited in the wild, while four are already publicly known.
The zero-days under attack
CVE-2024-38178 highlights a Scripting Engine Memory Corruption Vulnerability that poses a risk of remote code execution. This flaw, reported by AhnLab and South Korea’s National Cyber Security Center (NCSC), can only be exploited if the user is operating Microsoft Edge in Internet Explorer Mode. The attack necessitates that an authenticated user clicks on a specially crafted URL, allowing an unauthenticated attacker to initiate remote code execution. Kevin Breen, Senior Director of Cyber Threat Research at Immersive Labs, notes that while this mode is not the default for most users, its active exploitation indicates that attackers may have targeted specific organizations or users with this configuration.
CVE-2024-38106 concerns a bug within the Windows Kernel that could enable attackers to gain SYSTEM privileges. Although exploiting this vulnerability requires navigating a race condition—a complex task—Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, points out that some race conditions are more easily exploited than others. He emphasizes that the Common Vulnerability Scoring System (CVSS) can sometimes misrepresent the exploitability of such vulnerabilities.
CVE-2024-38107 presents another privilege escalation vulnerability found in the Windows Power Dependency Coordinator, which facilitates the quick waking of Windows devices from sleep. The exploitation vector is local, meaning an attacker must either access the target system directly or deceive the user into performing the necessary actions. Unfortunately, Microsoft has not disclosed further details regarding the exploitation of this vulnerability.
CVE-2024-38193, located in the Windows Ancillary Function Driver for WinSock, similarly allows for privilege escalation through local exploitation. While Microsoft has not provided specific details, the identities of the reporters—Luigino Camastra and Martin a Milánek from Gen Digital (Avast)—suggest that the aim of the attack may involve executing malware with SYSTEM privileges.
CVE-2024-38213 enables attackers to bypass the Windows SmartScreen, which is triggered by a Windows Mark of the Web “flag” added to files downloaded from untrusted sources. Microsoft indicates that an attacker must send a malicious file and persuade the user to open it, a scenario that is evidently occurring in the wild. Breen explains that this vulnerability typically forms part of an exploit chain, often modifying malicious documents or executable files before distribution via email or compromised websites.
Lastly, CVE-2024-38189 is a vulnerability in Microsoft Project that can be activated by tricking users into opening a specially crafted Project file on systems where certain macro settings are disabled. This flaw could allow attackers to achieve remote code execution on the host. Childs remarks on the unusual nature of a code execution vulnerability in Project, noting its exploitation in the wild. He likens it to common phishing attacks, where threat actors leverage human behavior to entice users into opening weaponized documents.
The publicly known vulnerabilities
CVE-2024-38200, a spoofing vulnerability affecting Microsoft Office, discovered by Jim Rush of PrivSec Consulting and Metin Yunus Kandemir with Synack’s Red Team, may allow attackers to capture and relay the target’s NTLM hash. Microsoft has already implemented an alternative fix, but users are encouraged to adopt the final solution released today.
CVE-2024-21302 and CVE-2024-38202 are elevation of privilege (EoP) flaws in Windows Secure Kernel Mode and the Windows Update Stack, respectively. Revealed by SafeBreach researcher Alon Leviev at Black Hat, these vulnerabilities can facilitate covert downgrade attacks, making vulnerable Windows machines even more susceptible by reintroducing previously mitigated vulnerabilities. While CVE-2024-21302 has a partial fix involving a Microsoft-signed revocation policy, a complete solution for CVE-2024-38202 is still under development, though mitigations have been outlined.
CVE-2024-38199 is a use-after-free flaw in the Windows Line Printer Daemon (LPD) Service that can be exploited by unauthenticated attackers sending specially crafted print tasks to a shared vulnerable LPD service across a network. Microsoft warns that successful exploitation could lead to remote code execution on the server. Fortunately, LPD has been deprecated for over a decade and is not installed or enabled by default on systems. However, for those still running LPD, this remains a critical update.
It is worth noting that several critical vulnerabilities addressed in this patch require no action from customers for resolution. This includes two server-side request forgery (SSRF) flaws identified by Tenable researchers: one (CVE-2024-38206) in Microsoft’s Copilot Studio, which could lead to information disclosure, and another (CVE-2024-38109) affecting Azure Health Bot, which can be exploited to escalate privileges and access cross-tenant resources.
